CRESTCon Europe 2023

PASTA Threat Modelling & Leveraging IR, Threat Intelligence as Means for Tactical Penetration Testing

Stage IV of PASTA is one where threat intel and threat data have a strong relevance to building a highly contextualized threat model for applications. No other threat modeling methodology factors in threat intel or threat data to substantiate attack patterns that support threat objectives by a threat actor. In this talk, we’ll explore the process of how threat data (e.g. – firewall alerts, waf alerts, edr alerts, etc.) and threat intelligence (e.g. – threat advisories on embedded libraries, active threat campaigns, exploits in the wild reports, etc.) and organizational incidents can shape and substantiate the build-out of a robust threat library in threat modeling. The heart of a threat model is the credibility of the threat library and how it’s constructed. Once a robust threat library can be built, a tactical blueprint for exploit or penetration testing can be carried out with impressive results.

After nearly 25 years of IT/ InfoSec work across various industries, experience has fueled Tony’s drive to deliver a better information security consulting practice. In 2007 he started VerSprite (aka VerSprite Security) with the idea of developing a team of ‘security hybrids’ – consummate security professionals that personify both technical mastery around emerging technologies and associated threats, as well as a foundation on business processes, understanding, and overall mindset. As such, the inception of ‘true spirited’ security consulting was developed. Through years of both hands-on network, system, and software engineering and a foundation around risk management principles, the reality set in that true security, although relative to each organization, is best managed via a risk-based approach where both an understanding of data usage and functional use cases are known in the context of viable threats scenarios and supportive attack vectors. This risk-based approach led to the mantra behind VerSprite Security as well as the PASTA threat modeling methodology (Process for Attack Simulation and Threat Analysis), a co-developed risk-based threat modeling methodology that Tony co-authored along with the accompanying book (Risk Centric Threat Modeling, Wiley 2015).